CVE-2010-1257

Name of the Vulnerable Software and Affected Versions Microsoft Office InfoPath versions 2003 SP3 through 2007 SP2 Office SharePoint Server versions 2007 SP1 through 2007 SP2 SharePoint Services versions 3.0 SP1 through 3.0 SP2 Internet Explorer version 8

Description The issue is related to a cross-site scripting (XSS) vulnerability in the toStaticHTML API. This vulnerability allows remote attackers to inject arbitrary web script or HTML via vectors related to sanitization, potentially leading to information disclosure. An attacker could exploit this vulnerability by constructing a specially crafted Web page, allowing the attacker to execute script in the user's security context against a site that is using the toStaticHTML API.

Recommendations For Microsoft Office InfoPath versions 2003 SP3 through 2007 SP2, consider disabling the toStaticHTML API until a patch is available. For Office SharePoint Server versions 2007 SP1 through 2007 SP2, restrict access to the toStaticHTML API to minimize the risk of exploitation. For SharePoint Services versions 3.0 SP1 through 3.0 SP2, avoid using the toStaticHTML API in sensitive operations until the issue is resolved. For Internet Explorer version 8, as a temporary workaround, consider disabling the toStaticHTML() function until a patch is available.